[pkix] Signed JavaScript/JSON Objects using ES6

Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 28 October 2015 06:19 UTC

Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60A41B35C3 for <pkix@ietfa.amsl.com>; Tue, 27 Oct 2015 23:19:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVI2C5UxGR0o for <pkix@ietfa.amsl.com>; Tue, 27 Oct 2015 23:19:09 -0700 (PDT)
Received: from mail-wi0-x230.google.com (mail-wi0-x230.google.com [IPv6:2a00:1450:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDC691B3565 for <pkix@ietf.org>; Tue, 27 Oct 2015 23:19:08 -0700 (PDT)
Received: by wicfv8 with SMTP id fv8so275912wic.0 for <pkix@ietf.org>; Tue, 27 Oct 2015 23:19:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=VCXxXl22O6I3g3lXcUIDDdTGAwurj8SC5DN6Z3wR/qA=; b=ZL6KDBpOxKcvpLJr1gjz7kJWsSsh642jcUtDu4zlkp5SHsbH9CC39zjcE5VWMQfqLq kpnFWuS5zDEwM6T8SEH9ms0sW97Na6tTZPkZ7+Ymb9SETlf7z+il9cHZ6uyxNsIZgTHn lJUhFlB0qlC/NpHfIkbw5zLR7l+pfo9Qb6vHTdHDAT60udI5h7tbZaUhIIG5WI2iuDIz yX2/KvYKWLUd91rLn/Kb1gVs9ySn7xvMt2MX3puJkrbX5VTiUXQrmYFpsAsxF3rIVoSU J+WRJ17wJp8jSsJBsD/utG8iWYzrnlyohOjnQkWuiO/7VdWyhBXIy9NfPUwBfhaMHTN+ 6lVA==
X-Received: by 10.180.36.11 with SMTP id m11mr966506wij.18.1446013147432; Tue, 27 Oct 2015 23:19:07 -0700 (PDT)
Received: from [192.168.1.79] (148.198.130.77.rev.sfr.net. [77.130.198.148]) by smtp.googlemail.com with ESMTPSA id cv1sm20168989wib.18.2015.10.27.23.19.06 for <pkix@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Oct 2015 23:19:06 -0700 (PDT)
From: Anders Rundgren <anders.rundgren.net@gmail.com>
To: "pkix@ietf.org" <pkix@ietf.org>
Message-ID: <563068D5.3020807@gmail.com>
Date: Wed, 28 Oct 2015 07:19:01 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/CNiqbnJ4AFkKbPB65cWSbquHLxw>
Subject: [pkix] Signed JavaScript/JSON Objects using ES6
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2015 06:19:10 -0000

For some reasons the folks at Ecma specifying EcmaScript (aka JavaScript) gave in to the (probably somewhat uneducated) developer community who wanted properties to enumerate in "creation order" rather than in an unspecified/random fashion.

Although most likely entirely unintended, this opens the door to ultra-simple, in-object signature schemes that (unlike JOSE) does not force you "dressing" messages in Base64 just because you need a signature.

http://webpki.org/ietf/draft-rundgren-predictable-serialization-for-json-tools-00.html#rfc.section.3.3

I have used this scheme (modulo floating point) in practice for more than a year with all the major browsers without any hiccups but now it feels much better since the "black magic/guessing" is gone :-)

Anders